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Abstract 

It is known that the maximum classical mutual information that can be achieved between measure- 
ments on a pair of quantum systems can drastically underestimate the quantum mutual information between 
those systems. In this article, we quantify this distinction between classical and quantum information by 
demonstrating that after removing a logarithmic-sized quantum system from one half of a pair of perfectly 
correlated bitstrings, even the most sensitive pair of measurements might only yield outcomes essentially 
independent of each other. This effect is a form of information locking but the definition we use is strictly 
stronger than those used previously. Moreover, we find that this property is generic, in the sense that it 
occurs when removing a random subsystem. As such, the effect might be relevant to statistical mechanics 
or black hole physics. Previous work on information locking had always assumed a uniform message. In 
this article, we assume only a min-entropy bound on the message and also explore the effect of entangle- 
ment. We find that classical information is strongly locked almost until it can be completely decoded. As a 
cryptographic application of these results, we exhibit a quantum key distribution protocol that is "secure" 
if the eavesdropper's information about the secret key is measured using the accessible information but in 
which leakage of even a logarithmic number of key bits compromises the secrecy of all the others. 

Keywords: information locking, quantum information, encryption, discord, measure concentration, 
black holes 



1 Introduction 

One of the most basic and intuitive properties of most information measures is that the amount of information 
carried by a physical system must be bounded by its size. For example, if one receives ten physical bits, 
then one's information, regardless of what that information is "about", should not increase by more than ten 
bits. While this is true for most information measures, in quantum mechanics there exist natural ways of 
measuring information that violate this principle by a wide margin. In particular, this violation occurs when 
one defines the information contained in a quantum system as the amount of classical information that can be 
extracted by the best possible measurement. To construct examples of this effect, we take a classical message 
and encode it into a two-part quantum message: a cyphertext, which is roughly as large as the message, and 
a much smaller key. Given both the cyphertext and the key, the message can be perfectly retrieved. We can 
then look at the amount of information that can be extracted about the message by a measurement given only 
access to the cyphertext. Locking occurs if this amount of information is less than the amount of information 
in the message minus the size of the key. 
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In previous work on locking [DHL+04, HLSW04], this amount of information was taken to be the accessible 
information, the maximum (classical) mutual information between the message and the result of a measure- 
ment. In [DHL + 04], the authors constructed the first example of locking as follows: the cyphertext consists of 
the uniformly random message, encoded in one of two mutually unbiased bases, and the (one-bit) key reveals 
the basis in which the encoding was done. In this example, given only the cyphertext, the classical mutual in- 
formation is only | for an n-bit message. Hence, the one-bit key can increase the classical mutual information 
by another | bits. In [HLSW04], the authors considered a protocol in which one encodes a classical message 
using a fixed basis, and then applies one of k fixed unitaries (where k = O (poly log n + log the classical 
key reveals which unitary was applied. If the unitaries are chosen according to the Haar measure, then with 
high probability, the accessible information was shown to be at most en when one only has the cyphertext. 

In this paper, we present stronger and more general locking results, and show that this effect is generic. Our 
results will be stronger in the sense that instead of using the accessible information, we will define locking in 
terms of the trace distance between measurement results on the real state and measurement results on a state 
completely independent of the message (see Definition 2.4). Unlike the accessible information, this has a very 
natural operational interpretation: it bounds the largest probability with which we can guess, given a message 
m and the result x of a measurement done on a cyphertext, whether x comes from a valid cyphertext for m or 
from a cyphertext generated independently of m. In other words, one could almost perfectly reproduce any 
measurement results made on a valid cyphertext without having access to the cyphertext at all. Moreover, we 
recover a strengthened version the earlier statements about the accessible information. Whereas previously 
the accessible information was shown to be at most 3 bits, our techniques show that the accessible information 
can be made arbitrarily small. (A follow-up paper further strengthens the definition and explores connections 
to low-distortion embeddings [FHS10].) 

Despite this stronger definition, we will be able to show that the locking phenomenon is generic. Instead 
of having a classical key reveal the basis in which the information is encoded, as in [DHL + 04, HLSW04], 
we consider the case where there is a single unitary, and the key is simply a small part of the quantum 
system after the unitary is applied. This means that we can make not only cryptographic statements, but also 
statements about the dynamics of physical systems, where the unitary represents the evolution of the system. 
In particular, we will be able to show that locking occurs with high probability in physical systems whose 
internal dynamics are sufficiently generic to be adequately modelled by a Haar-distributed unitary. This can 
therefore give interesting results in the context of thermodynamics, or of the black hole information problem. 

In that vein, we will also allow the measuring device to share entanglement with the cyphertext-key compound 
system. While this may not correspond to a very meaningful cryptographic scenario, it allows us to study the 
behavior of entanglement in physical systems, and to study the extent to which the presence of entanglement 
interferes with this locking effect. 

Finally, in contrast to previous studies, we will not limit the message (or the entanglement) to be uniform; 
the size of the key will instead depend on the min-entropy of the message. This assumption is easier to 
justify in cryptographic applications. Indeed, while the locking results we present here can be interpreted 
as demonstrating the possibility of encrypting classical messages in quantum systems using only very small 
keys, care must be taking when composing such encryption with other protocols. We use our results to exhibit 
a quantum key distribution protocol, for example, that appears to be secure if the eavesdropper's information 
about the secret key is measured using the accessible information, but in which leakage of a logarithmic 
amount of key causes the entire key to be compromised. 
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1.1 Transmitting information through a generic unitary 



To end the introduction, we introduce the physical scenario that will occupy us throughout the article. The 
situation is depicted in Figure 1. 
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Figure 1: A quantum circuit depicting the physical scenario. The classical message M gets encoded in N, 
and the unitary then mixes it with the E part of the shared entanglement. If the information is locked, any 
joint measurement A4 on C and E' will yield a result X that is almost independent of the message. On the 
other hand, if C is large enough, there will be a joint measurement M. reliably decoding M. 

Now, let {\ipm) ■ I ^ m ^ \M\} be any orthonormal basis for N. The analysis will focus on the properties 
of the states 
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Our objective is to demonstrate that until C is large enough that there exists a measurement on CE' capable 
of revealing all the information about the message M, no measurement will reveal any information about the 
message. This can't quite be true, of course, so what we will demonstrate is that the jump from no information 
to complete information involves enlarging C by a number of qubits logarithmic in the size of the message M 
and the amount of entanglement E. 

Assume for simplicity both that M is uniformly distributed and that the state u EE ' is maximally entangled. 
As a first step, it is necessary to determine how large C needs to be in order for there to exist a measurement 
on CE 1 that will reveal the message M. Begin by purifying the state a to 
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Even more demanding than performing a measurement to reveal m is the task of transmitting the quantum 
information about RM through U, allowing the decoder, who has access only to CE', to recover a high 
fidelity copy of the state \a) RMN . If U is selected according to the Haar measure, then Theorem IV.l of 
[ADHW09] implies that there is a quantum operation V CE ^ N acting only on CE' such that 
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Because the trace distance is monotonic under quantum operations, it will not increase by taking the partial 
trace over R and measuring in the basis {(V'm)} [NCOO]. If we let p{m'\m) be the probability of getting an 
outcome |Vw) when the message was in fact m, Equation (1.4) therefore implies that 

^E E V{m'\m)<^. (1.5) 

In words, the probability of the measurement yielding the incorrect outcome, averaged over all messages, is 
at most so as soon as C is significantly larger than M, a measurement on CE' can be found that 

will reveal the message. Our goal in this article will be to demonstrate that until this condition is met, no 
measurement will reveal any significant information about the message. 

1.2 Structure of the paper 

The next subsection explains the notation used throughout the paper, and we then move on to the formal 
definition of locking as well as other important concepts in Section 2. Section 3 will state the main results and 
give a high-level overview of the proof, and Section 4 will begin the proof with some key lemmas. Section 
5 will deal with the proofs of our theorems in the easier case where the measurement device is restricted 
to making only projective measurements, and Section 6 will deal with the case of general measurements 
(POVMs). We then show in Section 7 that, in many regimes, as soon as the information is not locked, it is 
completely decodable. Implications for the security definitions of quantum cryptographic protocols will be 
presented in Section 8, and we conclude the paper with a discussion in Section 9. 

1.3 Notation 



General 



log 


Logarithm base 2. 




Expectation value of f(U) over the random variable U. 


AB 


Composite quantum system whose associated Hilbert space is 




A <g) B. We frequently identify quantum systems with their as- 




sociated Hilbert spaces. 


\A\ 


Dimension of Hilbert space A. However, we will often drop the 




| • | . For example, the dimension of the composite system MCK 




is denoted by MCK (a scalar value). 




Two identical copies of A the second of which is denoted by A. 


m A ,\<p) A ,... 


Vectors in A. 


i> A ^ A ,... 


The "unketted" versions denote their associated density matrices: 




il) A = Furthermore, if we have defined a state ^ AB , then 




ip A = Tr B ty> AB ]. 


n A 


The maximally mixed state ^ . 


U{A) 


The unitary group on A. 


Pos(A) 


The subset of Hermitian operators from A to A consisting of pos- 




itive semidefinite matrices. 


£{s,ri) 


The set of all (s, ry)-quasi-measurements, see Definition 2.3. 
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Operators 

M A-^B 



M 



M-N 
M 



op A ^B(m AB ) 



Identity operator on A. 

Indicates that the operator M is a transformation from states on 
A to states on B. 

Indicates that the superoperator M is a transformation from op- 
erators on A to operators on B. M and A4 will be freely identi- 
fied with their extensions (via tensor product with the identity) to 
larger systems. 

MNM^ 

If M, N G Herm(A), this means that TV - M G Pos(A). 
If M G Pos(yl) has spectral decomposition M = ^ 
thenVM = Z l VK\A)(Al 

Projector onto the symmetric (+) or antisymmetric (— ) subspace 
of^® 2 . 

Turns a vector into an operator. See Definition 4.2. 



Norms and Entropies 
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I(A;B) p 




Iacc{A; B)p 



TtVWm 

v / Tr[MtMj 

Largest singular value of M, i.e. the operator norm of M. 

Renyi 2-entropy of A, defined as — log Tr[p 2 ]. 

Quantum min-entropy of A, defined as — logminA<=iR{A : p A ^ 

XI A }. 

Quantum max-entropy of A, defined as 2 log Tr \fp A . 

Mutual information of A and B, defined as H(A) p + H(B) p — 

H{AB) p . 

Accessible information, see Definition 2.2. 



2 Definitions 

This section will present the basic definitions needed to state our results. First, it will be very convenient for 
us to represent measurements via superoperators in the following manner: 

Definition 2.1 (Measurement superoperator). We call a completely positive, trace-preserving (CPTP) map 
M : B{A) — > B(X) a measurement superoperator if it is of the form M{p) = YmLi TrfM/ 1 /?], where 

{\i) A : i G {1, . . . , A^}} is an orthonormal basis for X, each Mf- is positive semidefinite, and Yl!i=\ M A = 
l A . 

These play a central role in the definition of accessible information. 

Definition 2.2 (Accessible information [Fuc96]). Let p AB be a quantum state. Then, the accessible informa- 
tion I acc (^4; B) is defined as 

I acc (A;B) p := supI(X;Y) {A ® B){) , 
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where A A ^ X and J3 B ^ Y are measurement superoperators, and the supremum is taken over all possible 
superoperators. In other words, the accessible information is the largest possible mutual information between 
the results of measurements made on A and B. 

The accessible information was originally defined only for states in which the A subsystem was classical. In 
that case, no measurement on A is necessary in the optimization. This quantity is also known as the classical 
mutual information of a quantum state [OZ01, HV01]. 

We also need to introduce the concept of quasi-measurements for our analysis. They are, as their name 
indicates, almost measurements, but differ in three ways: they only contain rank-one elements of equal weight, 
they have exactly n outcomes, and the sum of all the elements does not necessarily equal the identity, but is 
instead bounded by fel: 

Definition 2.3 (Quasi-measurement). We call a superoperator M. A ^ B an (s, r/)-quasi-measurement if it is of 

the form M{p) = ^ zCi=i \i)(Xi\p\Xi)(i\ where the \i) index an orthonormal basis for B, and^- Y2i=i IXi)(Xi| 
Tjl . We call the set of all (s, r])- quasi-measurements on a given system, C(s, rf). 

The reason for introducing these, as will soon become apparent, is that they are almost equivalent to POVMs 
for our purposes while being much easier to handle mathematically. It can easily be seen that projective 
measurements are simply (A, l)-quasi-measurements. 

We now give the formal, strengthened definition of locking. The states in question were introduced in Section 
1.1. However, because the cyphertext will always be smaller than or equal to the message when locking 
occurs, certain identifications become possible. In particular, we can assume without loss of generality that 
N = C ® K and D = E ® K. Since the analysis will be performed using only C, K and E, we reproduce 
the illustration of the physical scenario with the identifications made in Figure 2. 



03 




J 



Figure 2: A quantum circuit depicting the physical scenario with the locking-specific identifications N = 

C ® K and D = E <g> K made. 

Definition 2.4 (e-locking scheme). Let M, C, K, E and E' be quantum systems. Let p MCKEE ' he a quantum 
state of the form 



EE'\ tt CKE\ 



pMCKEE' = Y^ Pm U CKE (|m)H M ® \^Mm\ CK \w){u>f*) U 



(2.1) 



where the \ ip m ) are orthogonal and JJ is unitary. Then we call p an e-locking scheme if for any measure- 
ment superoperator M CE ~^ x , we have that 



M p 



MCE' 



M{p M ®p CE ' 



< e. 



Note that this definition of locking is rather different from that used in previous work in the area ([DHL+04, 
HLSW04]). Their definition involved the accessible information between the cyphertext and the message. We 
can show that our definition implies the older one: 

Lemma 2.1. Let£ MB be a cq-state such that \\M(l; MB ) - £ M <8> < e for all measurement super- 

operators A4 B ^ X . Then, 

I acc (M;B)i: < 4elogM + 2r?(l - e) + 2 V {e), 
where rj(x) := — x log x and rj(0) = 0. 

Proof. This is a direct application of the Alicki-Fannes inequality [AF04] . □ 

Four quantities will be particularly useful for quantifying variations from uniform messages and maximal 
entanglement, 

Aa/,00 := 2 lo ^ M - H ^ M ^, (2.2) 
A M , 2 := 2 lo s M "^(M) CT) (2 _ 3) 

A E ,oo := 2 log£ -^ min(s) ", (2.4) 
A Ej2 := 2 lo ^ E - H ^ E ^. (2.5) 

For a point mass distribution p m , Am,oo = Am,2 = \M\ and for the uniform distribution Am,oo = Am,2 = L 
To give an interpretation of the Ae quantities, we can note that for a bipartite \lo) ee with no entanglement, 
A_e i00 = Ag,2 = \E\. However, if \oj) ee is the maximally entangled state, then A£ i00 = Ae,2 = 1> which 
we call maximal entanglement. The case of a uniformly distributed message and maximal entanglement will 
give the simplest expressions for minimum key size. The A terms are used in the calculations to provide more 
general statements relating the entropy of the message and entanglement to the key size. 



3 Main results and proof sketch 



The locking scheme we study is a scheme where the unitary in Definition 2.4 is chosen according to the Haar 
measure. Let c, e and n be the logarithms of |C|, \E\, and \M\ = \N\ respectively. In particular, the message 
is n bits long. Define K = M/C and k = logK. Then k = n — c is the difference in size between the 
message and cyphertext, that is, the size of the key. Our main theorem is the following: 

Theorem 3.1. IfU is chosen according to the Haar measure, then the scheme described in Definition 2.4 is 
an e-locking scheme with probability at least 1 — 2~ 9 d c 'll- B l) 

k > -(n - i? min (M) CT ) + - (e - H mhl (E)^ + log(c + e) + 2 log(l/e) + 11 

as long as e > 16Ae i0O / \J\KE\. 

For the cryptographically relevant case in which there is no entanglement shared with the measuring device, 
we therefore get: 

Corollary 3.2. If U is chosen according to the Haar measure, then the scheme described in Definition 2.4 
without shared entanglement is an e-locking scheme with probability at least 1 — 2~ 9 I C I if 

k > ^(n-F min (M) CT ) +logc + 21og(l/e) + ll 

as long as e > 16/ ^/\K\. 
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Hence, the size of the key must be at least as large as half the "min-entropy deficit" (n — i? m i n (M) cr ) of the 
message plus a term of the order of the logarithm of the size of the message. In particular, for a uniform 
message, the min-entropy deficit is zero, and a key of size at least logc + 21og(l/e) + 11 is sufficient for 
locking. 

Conversely, we can show that in certain regimes, if the information is not locked, then it is completely decod- 
able, with almost no middle ground. More precisely, we have the following: 

Theorem 3.3. If U is chosen according to the Haar measure, then the information in the scheme described in 
Figure 1 without shared entanglement is asymptotically almost surely decodable to within e in trace distance 
for a receiver with only C as long as 

k^ l -(n- H max (M) a ^ -\{e- H 2 (E)S) - 2 log(l/e) - 4. 

Note that decoding the message will often require that the cyphertext be longer than the message, in which 
case k will be negative. Comparing Theorems 3.1 and 3.3 reveals that the difference between being e-locked 
and being able to decode quantum information to within £ is determined by at most 

X - [F max (M) CT - H miQ (M)a] + [e - H miQ (EU + log(c + e) + 41og(l/e) + 15 
qubits, where the inequality H2 > H mm has been used to simplify the expression. 

In other words, if we consider the case of maximal entanglement, then the gap between locking and de- 
codability can only be as wide as the difference between the min- and max-entropy of the message modulo 
logarithmic terms. One should note that this gap is real, and not only an artifact of our proof technique. To 
see this, consider an n-bit message distributed such that with probability \ , the first bit is uniform and the rest 
of the string is always zero, and with probability \ the whole string is uniform. The max-entropy of such a 
message is n, but the min-entropy is tiny. Now, to be able to decode, one must be able to decode the entire 
string in the "worst-case" scenario where the whole string is uniform, so the max-entropy is relevant in this 
case. But in the locking case, we must be able to lock in the worst-case scenario of only one bit being random, 
so the min-entropy is the relevant quantity here. 

The effect of non-maximal entanglement is not entirely clear, however. There is a fairly large gap between 
our locking and decodability results here, but the locking side is almost certainly not tight in general. For 
instance, we can easily set up the system in such a way that there is a part of E' that is clearly useless, but our 
proof technique forces us to take this part into account, which artificially hurts our bound. This extreme case 
can be ruled out by restricting E' to the support of uj e , but it seems likely that more gains could be found in 
the general case. 

Finally, in addition to studying locking for its own sake, we use our results to exhibit a quantum key distri- 
bution protocol that appears to be secure if the eavesdropper's information about the secret key is measured 
using the accessible information, but in which leakage of a logarithmic amount of key causes the entire key to 
be compromised. This is done in Section 8. 

3.1 Proof sketch 

We will give here a very high-level overview of the proof. The basic idea is to start from the fact that, given 
a fixed measurement superoperator, the probability over the choice of unitaries that this measurement yields 
non-negligible correlations is extremely small. Then, we would like to discretize the space of all measurement 
superoperators and use the union bound to show that the probability that any measurement superoperator 
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yields non-negligible correlations is still very small. For this to work, the "number" of measurements has to 
be much smaller than the reciprocal of the probability of getting a bad U. However, the set of measurement 
superoperators cannot be discretized directly, since (among other things) they contain a potentially unbounded 
number of outputs. Hence, we will instead use the above argument on (s, 7?)-quasi-measurements, which can 
be discretized easily (see Lemma 4.4), and then show that the best measurement cannot beat the best (s, 77)- 
quasi-measurement by too much. Along the way, we also prove the special case where the measurement 
device is constrained to making projective measurements, which can be viewed simply as (CE', l)-quasi- 
measurements. 

The basic ingredient of the proof is the following concentration of measure theorem on Haar-distributed 
unitaries: 

Theorem 3.4 (Corollary 4.4.28 in [AGZ09]). Let f : U(d) — > R be a function with Lipschitz constant 
(see Definition A.l; the Lipschitz constant is taken with respect to the Hilbert-Schmidt distance on unitaries). 
Then, 



Vr v {\f(U)~ E v f\ >e}<exp 



46> 2 J 



We apply the theorem to the function 

9M(U) = \M (p MCE ')-M(p M ®p CE ') 

for any fixed (s, 77)-quasi-measurement M., where p depends on U as in Equation (2.1). To do this, we need 
to bound two quantities from above: the expected value Kgj^(U) and the Lipschitz constant 0. The bounds 
appear in Lemmas 4.1 and 4.2 respectively, and the resulting concentration statement looks like (see Equation 
(4.22)): 

Pr u {g M {U)>e}^e X p^ ^ (e - -j= j J. 

Now we are in a position to use our e-net over (s, 77)-quasi-measurements (Lemma 4.4) and the union bound 
to get a bound on the probability that there exists an (s, 7?)-quasi-measurement M for which g_w (U) > e; this 
is done in Theorem 4.5. 

At this point, the proof splits into an "easy" and a "hard" branch. The easy branch (Section 5) applies Theorem 
4.5 to projective measurements. The result is immediate, since a projective measurement is simply a (CE', 1)- 
quasi-measurement. The hard branch (Section 6) goes for the full prize: showing that Qm(U) is small for 
every POVM with high probability. For this, we essentially show that a POVM corresponds (for the purposes 
of this proof) to a distribution over sequences of s states. The operator Chernoff bound can then be used to 
show that this distribution is almost entirely supported on sequences that are (s, ?7)-quasi-measurements, for 
s = 0(CE\og(CE)) and 77 = 0(1). We then apply Theorem 4.5 on these sequences, conditioned on the 
sequence being an (s, r7)-quasi-measurement. A trivial bound is sufficient to cover the other case. 

All that is then left to do to get the statements in the theorems stated above is to calculate conditions on the 
various parameters to make the exponent a reasonably large negative number. 



4 Concentration of the distinguishability from independence 

To be able to use the general concentration of measure theorem (Theorem 3.4) on gju(U), we must first be 
able to upper-bound the expectation of gjw(U) with respect to U. The following lemma does this: 
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Lemma 4.1 (Distinguishability for a fixed measurement). If M CE '^ x is an (s, r])-quasi-measurement, then 

2A E>00 



E 

u 



M(p MCE ')-M(p M ®p CE ') 



\[KE 



Proof. We begin by expanding and simplifying the original expression 



M (p MCE ') -M(p M ® P ce ') I = E \M {p 



MCE> _ p M 0p CE> 



< E\l sTr 



((a M )-V4 M (p MCE ' -p M ® p CE ') (a M )-^Y 



sETr 



(4.1) 



(4.2) 



In the manipulations above we have used the linearity of the superoperator M in the first line. In the second 
line we have used Lemma A.4 with 7 = I x <g) a M , noting that \X\ = s. The third line follows from 
the concavity of the square root. We will now use a helpful identity for the trace of an operator squared: 
TrZ 2 = Tr(Z ® Z)F, where F is defined as follows. 

Definition 4.1. The swap operator on A® 2 , which is written as A ® A, is the unique linear operator F A 
satisfying 

F A (\^ A \<i>) A ) = \<t>) A \i>) A mM)- 

Expressing Equation (4.2) using the swap operator gives 

m(^ ce, )-M(p m ^p ce, )\ (4.3) 



sTr 




\ 



{CE'f 



r 

J^Tr [F M ® {xf E 'f 2 ) g [(^ M )" 1/4 (/> MCS ' " P M ® /9 cs ')(^ M )" 1/4 ] ( 



i=i 



(4.4) 



Equation (4.4) follows from the fact that results of the measurement M are stored in an orthonormal basis 
of system X. We will proceed by evaluating E{{a M )~ 1 / i (p MCE ' - p M ® p CE ') (a M )~ 1 / A ) m , but before 

continuing we absorb the two cr -1 / 4 into the operator p. That is we define, 



|M| 



~mck . = j2^\ m )(m\ M ' ®\ij, m )ty m \ CK and 



m=l 



-MCKEE' 



■MCK ~ , BE' 



(a M )" 1/4 p MC ™' (0~ 1/4 = (I MB ® • (a- J " ' 



(4.5) 
') • (4-6) 



With these two definitions in hand we can expand E ^p 

E(p MCE '-p M ®p CE ')® 2 



MCE' _~ p M p CE 



as 



(4.7) 



E (Tr KE 



= Tr 



KEKE 



U CKE -{{a 
e(u cke -([o 



> a; 



MCK _ ~M ^ „CK\ 



a CK ) 



)EE ')) 



= Tr 



KEKE 



jjCKE ^jjCKE ^jME'ME' 



'-MCK ~M ^ „CK 

a — a ' r 



e CK )®u EE ') dU 



.(4.8) 
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To evaluate the integral with Lemma A.l, we will need to calculate the projections of our operator onto 
the symmetric and antisymmetric subspaces of {CKE)® 2 . Since the projectors onto the symmetric and 
antisymmetric subspaces can be written as TT-|- = ^ (I ± F), we can arrive at same results by working with I 
and F. We begin with I: 



Tr. 



CKECKE 



CKECKE 



(4.9) 



1pm ~ ^2p m "^m" 



M ^ , .E'\®2 



0. 



The projection onto F requires a more subtle calculation, 



Tr 



CKECKE 



( ~MCK _ d M CJO 



U EE'\- F CKE 



(4.10) 



^2y/p^\m)(m\ M ® ^ ^/Pm/\m'){m' 



M 



■Tr CK 



V>m ~ ^Pm'^m" YW ~ ^Pm'"^ 



Tr 



EE 



By taking a closer look at Equation (4.10) we can make the simplification 



Tick 



= Tick 



tpm ~ ^2Pm"1pm" I I VW ~ ^Pm'^m"' ] 
m" J V m'" J . 

Ipmlpm' ~ ^2Pm"1pm"tpm' ~ ^ Pm"'^m^m"' + Prn"Pm"'^m"A, 



$mm' ~ Pm' ~ Pm + ^ P m " ■ 



(4.11) 



Now we define a„ IM as the quantity evaluated in Equation (4.10). Substituting the result of Equation (4.11) 
gives 



-MM . = T 



CKCK 



(~MCK_~M^ a CK^ F CK 

J>™ {\m){m\f 2 -a M ® (a W f - {d M f ® a M + i^pi) a M ® a 



M 



We also define VL E ' E ' as the operator acting on system E'E' in Equation (4.10), or Q. E ' E ' = Tt e ^[(uj ee ')^ 2 F e ] 
At this point, Lemma A.l can be used to evaluate the integral in Equation (4.8). We can make significant sim- 
plifications by first expanding the a± and then using our result from Equation (4.9) to show that 



1 



a± 



Tr. 



ran 

±[d^®^l E,E7 ) 
CKEiCKE ± 1) 



CKECKE 



"<K-a M ®a CK f 2 ®(u EE ') ( 
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where the terms H± KE are the projectors onto the symmetric and antisymmetric subspaces of (CKE)® 2 , that 
is l(fCKECKE _|_ pCKEy j n particular, because a + is proportional to a_, the integral will have the product 
form 



-MM 



n 



E'E> 



U CKE 



Y\CKE 



(cKEiCKE + 1) CKE(CKE - I)) ' 



so the calculation of the trace in Equation (4.4) will factor into a product over the systems (M)® 2 and 
(CKEE 1 )® 2 . Thus, 



^(MKE)® 2 
= Tr 



Tr 



(CE')i 



-MM t?M 
Or, r 



Tr 



(x? E '®i KE ) 



^MCE' _ ~M ^ p CE 



1 



jM 



( Yi% KE ®ti E ' E ' nc KE ®n E ' E ' 

I CKE(CKE + 1) ~ CKE{CKE - 1) 



The first first factor in Equation (4.12) can easily be bounded: 



Tr 



MM 



-MM t?M 



= E^-E^ /2 -E^ /2 +E^ 

m m m m 

^ 2 s £ jVm = 2. 



(4.12) 



To estimate the second factor in Equation (4.12) we will need to observe two facts. First, that 

< (KE) 2 



Tr 



(X 



CE' ^ t,KE\®2 tjCKECKE ^ qE' E' 



n 1 



(4.13) 



which follows from the fact that xf E> is a rank 1 projector. Second, that 

( X ? E ' ®I KE f 2 F CKE ®Q E ' E ' Kl: !• 



Tr 



E'E 7 



TV 



CE'\®2pC 



n 1 



(4.14) 



If we use Equations (4.13) and (4.14) to estimate the second factor of Equation (4.12) we get the bound 

/ u% KE ® n*^ n CXB ® N " 



Tr 



[x? E '®i KE ) 



\ CKEiCKE + 1) CKE(CKE - 1 

/ {KEf + KE (KE) 2 - KE 

\2CKE(CKE + 1) ~ 2CKE(CKE - 1) 
2 







This can be rewritten in a more familiar form using 



(4.15) 







2 — 2-ffmin(-E)uj 



In the above, the third equality follows from the fact that the operator norm is right-invariant under unitary 
transformations and F is a unitary matrix. Combining the results in Equations (4.13) and (4.15), as well as 
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the above identity, we obtain an upper bound for the trace distance through Equation (4.4), 

M{p MCE ')-M(p M ®p CE ') 



\ 



2A 



E 2 - 

i=i 



{C) 2 KE 



\[KE 



□ 



Lemma 4.2. gjv[{U), the trace distance to independence for a fixed (s,rj)-quasi-measurement, is Lipschitz 
continuous on the space (U(CKE), ||-|| 2 ) with constant 4t]^Am,oo ^-e,oo/ME. 

Proof. We wish to analyze the behaviour of the trace distance with respect to the unitary matrix defining the 
channel. Recall the definition of function gjvi(U), 



9M (U) = \\M [p MCE ') - M {p M ® p CE ') 



If we denote by pu and pv the states Trx [U ■ a] and Ttk [V ■ a] respectively, we can bound the deviation of 
gM using the triangle inequality by 



\9M(U)-g M (V)\ ^ M[$ 



JsACE' 



JsACE' 



+ 



M (pff P C u E ') -M(pt?® p c v e ' 



(4.16) 



M (pff CE ' - p^ CE ') 



+ 



where the second line follows from the linearity of the superoperator. We note that for any hermitian operator 

c, 



ll*l(C)lli 



CE' 
s 

CE' 

s 

CE' 



1=1 



1 

CE' 



Ei<»icixi>i<—E<»iiciixi> 
i=i i- 

E Tr fcici]^iiciii, 



where the last inequality follows from the definition of (s, r/)-quasi-measurements. Applying this new fact, 
our bound in Equation (4.16) becomes, 



„MCE' „MCE' 

Pu ~ Pv 



+ 11 



° M ® (p C u E ' ~ P C v E ') 



(4.17) 



MCKEE' MCKEE' 

Pu ~ Pv 



\9m(U) - g M (V)\ ^ v 
< 2r? 

= 2t}\\(U-V)-<t®u\\ 1 , 

where the second line follows from monotonicity. We introduce a purification of a M in a new but tempo- 
rary system N such that dim(iV) = dim(M). We also recall that oj is pure. This permits us to use Lemma 
A.3 and arrive at the following consequence of Equation (4.17), 

\9M(U) -g M (V)\ < 4 V \\(U CKE - V CKE ) ®1mne>\<t) MNCK \u) EE ' 
We now introduce a helpful operation. 



(4.18) 
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Definition 4.2 (Vector-operator correspondence). Endow systems A and B with fixed orthonormal bases 
{\o-i) A }i and {\bi) B }i respectively, and let op^ B : A<g> B — > L(A, B), the space of linear transformations 
from A to B, be defined as 

°Va->b (\ a i)\ b j)) = \bj)(ai\ Vi,j 

This operation depends on the choice of basis; therefore, whenever it is used, a particular choice of basis is 
implied. Since this choice will never matter in our calculations, we shall not explicitly define these bases. 

Useful properties of the correspondence can be found in [Dup09]. 

We can think of the operator (U CKE - V CKE ) <8> I MNE ' as bipartite over composite systems MNE' and 
CKE. Since the 2-norm depends only on the Schmidt coefficients of the states, it will be invariant under the 
op operation defined in Definition 4.2. Our bound from Equation (4.18) then becomes, 



\9M(U)~ 9M(V)\ < 4r? 



°Pmne'^cke 



'jjCKE _ yCKE 



) 



ttMNE' I \MNCK . 

11 \a) \oj 



) EE ') 



4r] \\(U - V) op MNE ,_> CKE (|ff)|w))|| 2 , 



where the second line follows from the fact that op MNE ,^ CKE is linear and commutes with unitary transfor- 
mations on CKE. We are left with a few easy steps to bound the Lipschitz constant. 



\9m(U) - g M {V)\ ^ 4v 
= 4i] 

= 4?7 



= 4?? 



= 4?? 



U ~ V\\ 2 hVMNE'^CKE (k)|w))|| c 



U-V\\ 2 ^j 



u-v\ 



CK ®U E \ 




U — V\\ 2 \J max p m ■ 2 H ™in(E) w 



4?7 V / Am,oo &e 

Vme 



\u-v\ 



A proof of the inequality can be found, for example, in [Dup09]. The second line follows from the fact the 
Schmidt coefficients of \ a } MNCK are the square roots of the eigenvalues of a CK . The last line follows from 
the definition of A m ; n . □ 

In order to discretize the set of all (s, r/)-quasi-measurements, we require a distance measure for the set. 

Definition 4.3 (Metric on the set of (s, ry)-quasi-measurements, £(s, rj)). Consider M, N G C(s, rj) defined 
as 



M(a) 



\CE'\ 



$^l«}(x*Mxi}(»l 



\CE'\ 



^2 \i){n\o-\vi){A- 



i=l 



i=l 



We define the distance between these two elements as 



d(M,M) := \\xi ~ v,, 



» 112 • 



i=l 



Now letting M vary instead of U, we define a new function hu(M) by 



h v (M) 



Mlp 



MCE' 



M(p 



-W ^ p CE> 
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Lemma 4.3. hu(M) is Lipschitz continuous on the space (C(s, 77), d) with constant 2 ^^ E ' A M2 A e,2- 



Proof. As for Lemma 4.2, we can use the triangle inequality to rewrite the variation of the trace distance as 
follows, 

\h v {M) - h v {N)\ 



M [p MCE ') - M [p MCE ') I + \\m [ p m P CE ') - M [ P M P CE ') 
CE ' E (|| Tr ^' - v? E ') P MCE '} I + \\Tr CE > l(x? E ' ~ »? E ') P M ® P CE '} I) 



i=i 



CE' 

s 

CE' 



s 

E||( 



x? e ' - p mce ' 



i=l 



MCE' 



CE' 
+ 

1 s 

CE' 
+ 

2 S 



El(xP'--P') 



i=i 

s 



E U? E ' 



CE' 



i=l 



p M ®p CE ' 



p M ®p CE ' 



(4.19) 



where the last line follows from the operator version of the Cauchy-Schwarz inequality (see Equation (IX.32) 
in [Bha96]). Consider momentarily the second factor in the first term in Equation (4.19), 



JvlCE' 



^KE 



Ucke ■ (cr 



mck ®oj ee ' 



Tr 



MCK UJ EE 



pMCE' 



Tr 



UcKE F ° U CKt j 



(oj ee ')® 2 F E ' 



Tr Y.P 2 Mrn)(M CK ) m ®^ EE T 2 F E ' 
\ \_ m 

lTr[(LU EE ')® 2 F E '}Y,P 2 m = 2~ 1 2 H ^ M ^- 1 2 H ^( 
y m 



(4.20) 



The third line is true by the cyclic property of the trace. The inequality, however, is true by the following 
observation: since F 2 = I we know that F has eigenvalues ±1 and so F < I. We can make a similar 
evaluation for the last factor in Equation (4.19), 



p M ®p CE ' 



< 2 -^2(M) CT -i J ff 2 (S) <J 



(4.21) 



since this inequality is a just a special case of the calculations leading to Equation (4.20). If we apply Equations 
(4.20) and (4.21) to Equation (4.19), we can extract a very simple bound on the variation of the trace distance 

\h v {M) - h v {M)\ < 2 ^2-^ M ^ H ^j2h? ~-F\\ 2 



s 

2^[CE' 



y/A M ,2&E,2 d(M,M), 



where the last line follows from the definition of our metric on £(s,rj). We have also ignored a factor of 
1/VK above when expressing the bound in terms of Am, 2- We do this to simplify future calculations and it 
only gives a slightly less tight bound here. □ 
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Lemma 4.4. Given system A, there exists a e-net J over the set £(s, rj) of all (s, rf)-quasi-measurements on 
A, such that each element L G £(s, rj) is at most e- distant from an element of J G J with respect to the 
metric d(-, ■). The size of this net can be taken to be 




Proof. We begin by consider an e-net K over §*|a| (s-tuples of 2 1 A | -dimensional Euclidean unit spheres). 

First, there exists a e-net over S 2 |A| °f s i ze no more than (5/e) 2 l A L (See, for example, Lemma II.4 in 
[HLSW04].) K, can then be constructed by assembling the direct product of all the nets on the individual 
unit spheres. This produces a new net on the set of s-tuples of 2 \A\ -dimensional unit spheres. Recall the 
distance measure d(-, •) over £(s, rj), the set of all (s, ?7)-quasi-measurements. This metric can be extended to 
s-tuples. If it is then evaluated for any s-tuple x and its representative in the net y, 

s 

d(x,y) = ^2 ~ u ih ^ s£ - 
i=i 

Thus the spacing of the net K, over s-tuples is at most se with respect to the desired metric. Consider the 
following set: 

K! := {y G K. : 3 x G C(s, rj), \\x — y\\ 2 ^ se} . 

This is the set of all elements of the net /C which are close to (s, ry)-quasi-measurements. In other words, all 
(s, ry)-quasi-measurements use an element of KJ as their "representative" in the net. Now, divide £(s, rj) into 
subsets of elements which share the same representation in JC' and construct J by choosing one L G C from 
each subset. We then have by the triangle inequality that all L G C are 2se close to their new representative 
in J. Clearly \J\ ^ \K\ since it was constructed from a subset and if we wish to make an e-net over C(s, rj) 
we need only rescale the e from above, giving the result. □ 



The Lipschitz constants, expectation value and net size give us all the pieces we need to make the concentration 
argument. We show that with very high probability, the distinguishability from independence of the joint 
(potentially unnormalized) distribution of messages and quasi-measurement outcomes is small. 

Theorem 4.5 (Concentration of probability for distinguishability from independence). Given the quantum 
state p MCKEE = jjCKE . ^ a MCK ^ ^ee ) wnere jj i s a ranc lom unitary operator chosen according to the 
Haar measure, a is as defined in Equation (1.1), E' = E, and ui EE is a bipartite pure state, the following 
bound holds 



Pr < sup 

u [MeC(s,r)) 



1 > £ 



M(p MCE ')-M(p M ®p CE ') 

( f 40VCE /— \ (CKE) 2 ( 4A £oo \ ; 

^ exp 2sCEln — V A M, 2 A S , 2 - '- e - — ^ 



In the above, Am ]00 , Am,2» ^e,2 and A^ i00 are as defined in Equations (2.2), (2.3), (2.5) and (2.4). 

Proof. We apply Theorem 3.4 to g_\4 and consider only one direction of the divergence from the expected 
value. The exact statement can be written as 

(MCKE 2 f \ 2 \ 
~fiT~2A A ( £ -f r 9M) ■ (4-22) 
647? i A M ,ooA jBi00 V u J I 
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It is convenient to define 



f{M, U) = \\M (p MCE ') -M(p M ® p CE ') 



Clearly, qm and hjj are sections of / and we are interested in bounding Prjsup f(M, U) > e}. Let 

u M 



e' = 



S£ 



2- s /CEAm,2^-E,2 



and consider J an e'-net over all (s, ?7)-quasi-measurements M.. We found in Lemma 4.3 that if two (s, rj)- 
quasi-measurements were e' apart with respect to the distance measure d(-, •), then for a fixed unitary U, the 
values of / for each measurement would not differ by more than e. Thus we can state that the supremum 
deviation of / is not more than twice the maximum deviation found on measurements in the net, 



Pr <^ sup/(M, U) > 2e ^ < Pr i max f(M, U) > e } . 
u { m J u [MeJ J 

A union bound argument now bounds the probability of deviation for the maximum measurement by the 
probability of deviation for a generic measurement, 



Pr{max/(.M,£/)> £ W £ Pr {g M (U) > e} . 



Mej 

Thankfully, we have an explicit bound for the probability of deviation for an arbitrary measurement and we 
can make a simplification, 

Pr famM) > 2e} < ^exp (- ^X " g/ 
(TOy/CEA^A™ ( MCK& f 

Substituting in the fact that CK = M yields the desired inequality. □ 



5 Locking against projective measurements 

In this section we will only consider projective measurements, in other words (s, i]) = (CE f , 1). We will also 
state all of the subsequent theorems in terms of qubits. For this reason we will identify C = 2 C , K = 2 k and 
E = E' = 2 e . This last assumption, namely that E and E' have the same dimension, is crucial for this section 
because it restricts the size of the set of measurements sufficiently to allow for a straightforward discretization. 
The restriction will be lifted when we move on to generalized measurements in the next section, however. 

Our calculations, we will make repeated use of the fact that 

log(x + y) < x + log(y) Vx,y^l. (5.1) 
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Corollary 5.1 (Locking for uniform messages with maximal entanglement). Consider the locking scheme 
described in Definition 2.4 for a uniform message with maximal entanglement available at the measurement. 
Choose p and e such that e > 8y/l/ KE and p > 2~ 2 ^ CE ^ . Then the scheme will be an e-locking locking 
scheme except with probability p so long as the measurement superoperators are restricted to projective 
measurements and 

k > 9 + 21og- + -log(c + e). 

Proof. Using Theorem 4.5, we ensure that, except with probability p, our state is an e-locking scheme pro- 
vided that 

. 2l _(4oVce\ (C£;)2 



where we've defined for the time being e' as e — 4/ y/KE. A quick rearrangement of the terms reveals that 
the inequality will be satisfied if 

29 4^ n ,/2(CE)2 w (5.2) 



(O 2 V = \P 

From our choice of p we can easily see (\/p) l / 2 ^ CE ^> < 2 and from our choice of e we see that 2 9 / {e') 2 < 
2 13 /e 2 . Thus inequality (5.2) is satisfied when 

/2 13 \ / f 80\ZUe\\ 
l0g ( 'e 2 ) + bS ln21og £ )) < 2k - 

Finally, two applications of Equation (5.1) reveal that the above is satisfied provided, 

17 + 2 log ^ + log log ^ + log(c + e) < 2k. 

Rearranging the terms we see that the above condition is satisfied provided inequality (5.1) is satisfied, and 
we have completed the proof. □ 

Corollary 5.1, and its extension to arbitrary POVM measurements in Corollary 6.4 is a mathematical expres- 
sion that "generically, information is locked until it can be completely decoded." To arrive at this interpreta- 
tion, recall from Equation (1.4) that to achieve a decoding error of e, the measurement must be supplied with 
the entanglement through system E' as well as a system C satisfying c — n > 21og(l/e). Of course, this 
condition could never be met if the constraint n = c + k is assumed, but the constraint was only made for 
convenience to prove the locking results. Using it to re-express Corollary 5.1, though, we find that the infor- 
mation about the message is e-locked provided c = n — k < n — 9 — 2 log(l/ e) — 1/2 • log(c + e). Therefore, 
regardless of the size of the message or the amount of entanglement, the message goes from being e-locked to 
being decodable with average probability of error at most e with the transfer of 9 + 4 log(l/ e) + 1/2 • log(c+ e) 
qubits. 

At this point, we wish to study the dependence of the minimum key size k on the various entropies of the 
message M and the entanglement E. 

Corollary 5.2 (Locking for messages of bounded entropy with imperfect entanglement). Consider the locking 
scheme described in Definition 2.4 for a message of bounded entropy with entanglement of a bounded fidelity 
available at the measurement. Choose e and p satisfying 

£> 8A^ v> 2- 2 ^\ 
s/KE 
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Then the scheme will be an e-locking locking scheme except with probability p so long as the measurement 
superoperators are restricted to projective measurements and 

k > + I (n _ tf min (M) CT ) + 1 (e - H niiQ (E)S) < k, (5.3) 

where we've defined k' as the lower bound given in Corollary 5.1, i.e.: k! = 9 + 2 log(l/e) + 1/2 • log(c + e). 

Proof. From Theorem 4.5, we can ensure e-locking except with probability p by satisfying 

2(C£) 2 ln ( 4 °^yA M ^ 2 ) - ^ K 2 (e0 2 < Inp, 

where we've defined for the time being e' as e — 4A e,oo/VKE. A quick rearrangement of the terms reveals 
that the inequality can be satisfied if 

^7)2 ln I " V A E,2&M,2 ly-J J <K , (5.4) 

From our choice of p we can easily see {l/p) l / 2 ^ CE ^ 2 < 2 and from our choice of e we see that 2 9 / (e') 2 < 
2 13 /e 2 . Thus the inequality in Equation (5.4) is satisfied when 

13 + 2 log - £ + log(A Mi00 A £j00 ) + log (j + log X - + i(c + e) + ^ log(A Mi2 A £i2 )^ < 2fc. 

However, we know that the maximum values of Am,2 and A e,2 are M and E respectively. Combined with 
our assumption that k < c, we can quickly reduce the above to, 

18 + 3 log - + log(c + e )+(n- # min (M) a ) + (e - H min (E)^ < 2k. 
Finally, we can identify k! and give the result as desired. □ 



6 Locking against generalized measurements 

We will now show that the results of the previous section hold not only for projective measurements, but also 
for general POVMs, up to very minor changes in the various constants. The main difficulty at this point is 
that we cannot use Theorem 4.5 directly, since it only gives bounds for (s, ?7)-quasi-measurements. We must 
therefore show that a general POVM behaves essentially like an (s, r/)-quasi-measurement for the purposes 
of the theorem. Our strategy will be probabilistic in nature: we will show that doing a general POVM M 
is mathematically equivalent to randomly selecting a measurement constructed from possible sequences of 
s measurement results obtained from M.. With overwhelming probability, the sequence chosen will be an 
(s, ry)-quasi-measurement, and Theorem 4.5 will then apply in this case. 

We start by proving this last fact, namely that with very high probability, a sequence of s measurement results 
will be an (s, ?7)-quasi-measurement, for an appropriately chosen i]. 

Lemma 6.1. Let M CE '^ X be any complete measurement superoperator, withAi(ir) = Yli a i\^) (Xil^lXi) {i\> 
and consider the operator-valued random variable Y which takes the value \Xi){Xi \ w ^ probability Oii{xi\^\Xi) = 
cti/CE'. Then, s i.i.d. copies of Y will fail to be an (s,7])-quasi-measurement with probability at most 

2CE'e- s ^- l)2/CE " 21n2 . 
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Proof. Y fulfills all the conditions for the operator Chernoff bound (Lemma A.2) to apply, with WY = ir CE ' . 
This yields 



< 2CE'e- s ^ 2 ' CE ' 2la2 , 



and the probability on the left is an upper bound on the probability that the s-tuple Yi, . . . , Y s is not an (s, 77)- 
quasi-measurement. □ 

We now use this to show that best general POVM cannot do much better than the best (s, r/)-quasi-measurement: 
Lemma 6.2. It is true that 



sup 
M 



M(p 



MCE' _ p M^ p CE> 



^ max 



M ' (p MCE> -p M ®p CE ')\ i + ^CE l \ 



2-s{r ) -lf/{CE'{2\n2)) 



, (6.1) 



where the supremum on the left-hand side is taken over all measurement superoperators. 



Proof. Let .M^' - *^ be any complete measurement superoperator of the form M.(a) = X)i a »K)(Xi|°1Xi)(*l> 
and define Y to be the operator- valued random variable which takes value \i with probability eti/CE'. Let Q 
be the event that Y±, . . . , Y n is an (s, 7?)-quasi-measurement, where the Yi are i.i.d. with the same distribution 
as Y. 



M[p MCE ' -p M ®p CE ' 



^Ti CE > Xi ( 



Xi[P MCE '-P M ®P CE 



') 



CE'E Y 
CE' 



Tr CE > [Y ( 

s 

®Y U ...,Y, ^2 ll^CE 



p MCE> _ p M^ p CE 



') 



YAp MCE ' - p M ® p CE ' 



At this point we separate the expression into two terms, one for the event Q and another for its complement. 

/ 111 

Q 



M (p MCE ' - p M ® p CE ')l 



P 
CE 1 



Pr{Q}E 



ElK^ [ Y * [p MCEI - p M ® p CE ' 



i=l 



CP' 
+ Pr{Q}E 



Q 





max 








max 




M'eC(s,ri) 



EfiW [y( p mcei -p M ® P CE ')~ 
1=1 

')|| Pr{Q} + 2C£'Pr{Q} 

X' ^ p MCE' _ p M^ p CE^ || + 4(c ,^ ) 2 e - S (r ) -l)VCB'21n2_ 



X' ( f ^CE'_ f ^^ p CE 



In the above, the sum of trace distances given Q was interpreted as executing an (s, r/)-quasi-measurement 
described by Y"i, . . . , Y s , and the same sum given Q was simply bounded by 2rf (there are s terms in the sum, 
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each of which cannot exceed 2). In the last step, we have bounded Pr{Q} using Lemma 6.1 and made use of 
the fact that we can assume without loss of generality that \E\ = \E'\. 

Finally, a non-complete measurement superoperator can always be decomposed into a complete one by split- 
ting the POVM elements of rank greater than 1 ; this process always increases the trace distance. □ 



What we have achieved with the above statement is to show that the decoupling distance for a general mea- 
surement superoperator is very close to the decoupling distance of an (s, ry)-quasi-measurement. All that is 
now left to do is to use Theorem 4.5 to bound the supremum over (s, r/)-quasi-measurements, and we get the 
main theorem of this section: 

Theorem 6.3 (Locking theorem for general measurements). Given the quantum state p MCKEE ' = \jCKE . 
(a MCK <g>cj EE ) where U is a random unitary operator chosen according to the Haar measure, a is as defined 
in Equation (1.1) andu EE a bipartite pure state, then 

> e 

l 



Pr < sup 



m(p mce ')-m{p m ®p ce ') 

< -p [ mcE) - (-^«) - (. - «fr J) . 

In the above, Am,oo, Am,2> Ae,2 and Ae j0O are as defined in Equations (2.2), (2.3), (2.5) and (2.4). 

Proof. We may assume without loss of generality that \E'\ < \E\. If not, let E" be the range of p E ' = oj e ' . 
Because uj is pure, \E"\ = ranked < \E\. Let V be the isometric embedding E" E' and p MCE the 
projection of p to MCE" . Then for any POVM measurement superoperator M CE 

M( P MCE ')=M(V P MCE "V^) 

so measuring M or M o(V ■ V' ) will yield exactly the same measurement statistics. But the latter is a POVM 
on CE" and E" satisfies the desired dimension bound. 

Substituting the results of Lemma 6.2 into those of Theorem 4.5, we get the following: 



,2 



Pr jsup \M [p MCE ' -p M ® p CE ') ^ > e} < exp (^sCEln ^ 4 °^V A M, 2 A £ . 

- s f x KE) l (e - 4 (C J E) 2 e -("- 1 ) 2 /(^(2in2)) _ 4A^\ 2 \ 
2^A Mj00 A Ej00 V V ' \[KE ) ) 

We now choose i] = 2 and s = (6 In 2)CE In CE and note that this immediately implies 

2(CE) 2 e- s{r >- 1)2/CE21n2 = — . 

CE 

We absorb this factor into our "offset" for the e factor, 

8Ae j00 \ 2 



(e - 4 (CE) 2 e- s ^) 2 /CE2in2 _ 4 ^g V 



> e 



\[KE ) 

Substituting the choices for s and rj into Equation 6.2 reveals the desired result. □ 
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We now wish to express, in qubits, a lower bound for the key size for a given probability p and a given e. 
The relevant variables are M = 2 n ,C = T, K = 2 k , and E = 2 e . Unlike in the previous section, it is 
unnecessary to make any assumptions about the dimension of E'. 

Corollary 6.4 (Locking against POVMs for a uniform message with maximal entanglement). Consider the 
locking scheme described in Definition 2.4 for a uniform message and maximal entanglement available at the 
measurement. Choose p and e such that e > 16y/l/KE and p > 2~ 9 ( CE ^ . Then the scheme will be an 
e-locking locking scheme except with probability p so long as 

11 + 2 log - + log(c + e) < k. 

£ 

Proof. From Theorem 6.3 we can ensure e-locking except with probability p given 

, f 40VCE~\ 1 , 1 K 2 {e'f 

9 ln [—r- ) + WW ln p * t 

where we've defined for the time being e' as e — 8/VKE. We now make use of our lower bound for p as well 
as the assumption that \n(CE) ^ 1 to show that the above can satisfied provided 

, f80VCE\ K 2 (e') 2 

9 l n(CjB)ln ^^_j <_^. 

Solving the above equation for k and applying the condition on e reveals that the bound can be satisfied by 
the statement in the lemma. □ 

Corollary 6.5 (Locking against POVMs for messages of bounded entropy with imperfect entanglement). 

Consider the locking scheme described in Definition 2.4 for a uniform message and maximal entanglement 
available at the measurement. Choose p and e such that 

^Tke 

Then the scheme will be an e-locking locking scheme except with probability p so long as 

k' + \{n- H min (M)^ +\(e- H mm (E)Sj < k, (6.3) 

where we've defined k' as the lower bound given in Corollary 6.4, i.e.: k' = 11 + 21og(l/e) + log(c + e). 

Proof. From Theorem 4.5, we can ensure e-locking with probability p by satisfying, From Theorem 6.3 we 
can ensure e-locking with probability p given 



%CE') 2 p 2i0A M ,ooA SiOO ' 

where we've defined for the time being e' as e — 8/VKE. We now make use of our lower bound for p as well 
as the assumption that ln(CE) ^ 1 to show that the above can satisfied provided 

91n( /sov^a^A *v )a 



2 1 °AA fj00 A£ i00 ' 
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Next, we use our definition for e' and our bound for e and we solve for k to find that the bound is satisfied 
provided 

21 + 3 log X - + 2 log(c + e) + log(A Mi00 A £j00 ) < 2k. 
Finally, we can identify k' and give the result as desired. □ 

The lower bound requirement on e in Corollary 6.5 limits the corollary's range of applicability to situations in 
which H m i n (E) w is not too small. Specifically, the requirement can be rewritten in light of (6.3) as 

2 log(c + e) + (n - H min (M) a ) + 3# min (£)„ > e + const. 

So, at least when the message is uniform, the requirement is roughly that H mm (E) a > e/3. We suspect that 
this requirement can be eliminated but leave it as an open problem to find a way to do so. 



7 Locking versus decodability 



The previous sections have shown that, under certain conditions, no classical information is recoverable by 
the receiver. Here we aim to show that, in many regimes, these results are essentially optimal. We do this by 
showing that if we make the key only very slightly smaller, then with overwhelming probability, the classical 
message will be decodable with a negligible error probability. In fact we prove even more: in this regime 
where the information is decodable, the decoder can even decode a purification of the classical message. In 
other words, in this generic scenario where U is chosen with no preferred basis, either all classical information 
is locked away, or we can decode quantum information. This is formalized in the next theorem. 

In order to study decodability, we must discard the identifications made in Figure 2 to study locking and return 
to the original scenario described by Figure 1 . Whereas k was previously the number of qubits in system K , 
there is no system K in Figure 2. Instead, we define k = n — c, which is consistent with its earlier definition. 
Now, however, it might be the case that k is negative since decoding could require the cyphertext to be longer 
than the message. 

The following theorem generalizes the discussion of Section 1.1 to nonuniform messages and imperfect en- 
tanglement. 

Theorem 7.1. IfU is chosen according to the Haar measure, then the information in the scheme described in 
Figure 1 is such that there exists a decoding CPTP map 

V CE'^N mch that 



RMN 



V (Tr D [u ne ^ cd (a RMN ®u e ' e ) [U NE ^ CD y]) - a 
asymptotically almost surely, where a RMN is a purification of a MN , as long as 

fc<i(n- J H- max (M) <T )-i(e-fl 2 (£?) w )-21og(l/e)-4 



Proof. Using Theorem 3.7 from [Dup09], we get that 



E 



u 



U 



NE^CD (RMN 



UJ' 



NE^CD^] 



a RM ®p D 



< 2I^ma X (M) CT -|ff 2 (E) 




It can also be shown that the value of this trace distance will asymptotically almost surely not exceed twice 
this bound. Under this condition, we have that: 



Tr c 



U 



NE->CD I RMN 



(a RMN ®u E ) (U 



NE^CD\\ 



a RM ®p D 



< 2 x 22^ max '-^) <T ~ \H2{e)u 



C' 
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Uhlmann's Theorem then implies the existence of a partial isometry V CE '~^ NG and of a purification of p D on 
system G that we call 6 DG such that 

VU (o RMN ®u E ' E ) [/Vt _ a RMN 3 9 dg^ ^ 4 ^ 2 /W(Af) CT -tf 2 (£)^y /4 _ 
Defining V CE '^ N as £>(£) = Tr G [V^V 1 "] and tracing out system I?, we get that 

V (Ty d ~u ne ^ cd (a RMN (g) (u^e^cd^' ^ _ a RMN ^ 4 ^ 2 ff ma x(M) CT -if 2 (E) w 1/4 ^ 

Now, to satisfy the theorem statement, we need to ensure that 

4 ^H ma .*(M) a -H 2 (E) w D\ 1/4 ^ £ _ 

Taking logarithms on both sides and using the fact that log D = k + e, we get that 

2 + - [H max (M) a - H 2 (E) W + e + k - c] < logs. 
Substituting in the fact that c = n — k, we arrive at the statement of the theorem. □ 

8 Implications for the security of quantum protocols against quantum adver- 
saries 

When designing quantum cryptographic protocols, it is often necessary to show that a quantum adversary 
("Eve") is left with only a negligible amount of information on some secret string. An initial attempt at 
formalizing this idea is to say that, at the end of the protocol, regardless of what measurement Eve makes 
on her quantum system, the mutual information between her measurement result and the secret string is at 
most e (in other words, her accessible information about the message is at most e). This was often taken 
as the security definition for quantum key distribution, usually implicitly by simply not considering that the 
adversary might keep quantum data at the end of the protocol [LC99, SPOO, NCOO, GL03, LCA05] (see also 
discussion in [BOHL+05, RK05, KRBM07]). In [KRBM07], it is shown that this definition of security is 
inadequate, precisely because of possible locking effects. Indeed, this security definition does not exclude 
the possibility that Eve, upon gaining partial knowledge of S after the end of the protocol, could then gain 
more by making a measurement on her quantum register that depends on the partial information that she has 
learned. In [KRBM07], the authors exhibit an admittedly contrived quantum key distribution protocol which 
generates a secret n-bit key such that, if Eve learns the first n — 1 bits, she can then learn the remaining bit by 
measuring her own quantum register. 

The locking scheme presented above allows us to demonstrate a much more spectacular failure of this security 
definition. We will show that there exists a quantum key distribution protocol that ensures that an adversary 
has negligible accessible information about the final key, but with which an adversary can recover the entire 
key upon learning only a very small fraction of it. 

8.1 Description of the protocol 

We will derive this faulty protocol by starting with a protocol that is truly secure, and then making Alice 
send a locked version of the secret string directly to Eve. We will be able to prove that regardless of what 
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measurement Eve makes on her state, she will learn essentially no information on the string, but of course, 
she only needs to learn a tiny amount of information to unlock what Alice sent her. More precisely, let P be 
a quantum key distribution protocol such that, at the end of its execution, Alice and Bob share an n-bit string, 
and Eve has a quantum state representing everything that she has managed to learn about the string. We will 
also assume that P is a truly secure protocol: the string together with Eve's quantum state can be represented 
as a quantum state a SE such that \\a SE — ir s & a E \\\ ^ e, where S is a quantum register holding the secret 
string, and E is Eve's quantum register. Now, we will define the protocol P' to be the following quantum key 
distribution protocol: Alice and Bob first run P to generate a string s of length n, and then Alice splits s into 
two parts: the first part Sk is of size O(logn), and the second part s c contains the rest of the key. Alice then 
uses the classical key Sk to create a quantum state in register C that contains a locked version of s c and sends 
the system C to Eve. 

How secure is P'l It is clearly very insecure, since, if Eve ever ends up learning Sk (via a known plaintext 
attack, for instance), she can then completely recover s c . However, the next theorem shows that, right after the 
execution of P' , Eve cannot make any measurement that will reveal information about the key. In particular, 
P' satisfies the requirement that Eve's accessible information on the key be very low. 

Theorem 8.1. Let P and P' be quantum key distribution protocols as defined as above, and let p CES be the 
state at the end of the execution of P' : S contains the n-bit string s, E is Eve's quantum register after the 
execution of P, and C contains the locked version of s c that Alice sent to Eve. Then, for any measurement 
superoperator Ai CE ^ x , there exists a state £ x such that 

\\ M {p cEs ) -e® tt 5 ii 1 ^2 £ . 

This also entails that 

h cc {S; CE) < Sen + 277(1 - 2e) + 2n(2e) 
via the Alicki-Fannes inequality ( see Lemma 2. 1 ). 



Proof. From the definition of P, we have that 

\\p ES -ir s ® p E \\ 1 < e. (8.1) 

Now, let C s ^ cs be a superoperator that takes a classical string in S, splits it into Sk and s c , creates a locked 
version of s c with s& as the key into the quantum system C, and leaves the classical string in S unchanged; 
this is simply the operation that Alice performs when preparing C for Eve. The above inequality, combined 
with the monotonicity of the trace distance under CPTP maps yields 

\\p CES -C(ir s )®p E \\ 1 (8.2) 

and hence, for any measurement superoperator M CE ^ X , 

\\M(p CES )-M(C(ir s ) Q^W^e (8.3) 

Consider now the expression M CE ^ X (C(ir s ) (g) p E ): it can be viewed as a measurement on the C system 
of C s ~* cs (ir s ) alone that is implemented by creating the state p E and then measuring J\A CE ~^ X . Further- 
more, note that, by the definition of an e-locking scheme, we have that, for every measurement superoperator 

M c ^ x , 

\\N(C(ir s ))-N(Tr:s[C{ir S )})®Tr s \\ 1 ^e. (8.4) 
Applying this to M ce ^ x (C(tt s ) ® p E ), we get that 

\\M(C(ir s ) p E ) - M(Tr s [C(ir s )} ® p E ) <g> vr 5 !^ < e. (8.5) 
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We now use the triangle inequality on Equations (8.3) and (8.5) to obtain 

\\M(p CES ) - M(Tr s [C(7r s )} ® p E ) ® tt 5 ^ ^ 2e (8.6) 
which yields the theorem with £ x : = M (Tr 5 [C (vr 5 ) ] <g> p E ) . □ 

Hence, we have shown that requiring that Eve's accessible information on the generated key be low is not 
an adequate definition of security for quantum key distribution. We have exhibited a protocol P' which 
guarantees low accessible information and yet is clearly insecure due to locking effects. 

9 Discussion 

It is natural in physics to measure the "correlation" between two quantum physical systems using the corre- 
lation between the outcomes of measurements on those two systems. Two-point correlation functions are but 
the most ubiquitous examples. The results in this article demonstrate that this practice can sometimes be very 
misleading. The e-locking quantum states exhibited in this article would reveal no correlations using any type 
of measurement, but enlarging one of the two systems by a small number of qubits would expose near-perfect 
correlation between the two systems. This is an important and counterintuitive property of information in 
quantum mechanical systems: measurements can be distressingly bad ways to detect correlation. 

The extensive literature on quantum discord is essentially devoted to exploring the relationship between ac- 
cessible, or classical, and quantum mutual information [OZ01, HV01, BKZ06]. Since the discord is defined 
as the gap between the quantum and classical mutual informations, locking can be viewed as the extreme 
case where classical mutual information doesn't detect any of the very abundant quantum mutual information. 
Previous work had demonstrated that transmitting a constant number of physical qubits can cause the classical 
mutual information to increase from a fixed small constant to an arbitrarily large value. In this article, we have 
strengthened the definition of locking, replacing the mutual information by the trace distance to a product 
distribution. Moreover, we have shown that the locking effect still exists even when the trace distance (or the 
classical mutual information) is made arbitrarily small. In light of these results, claims that the discord is a 
robust measure of quantum correlation [WSFB09] should treated with skepticism. While discord is certainly 
a signature of quantumness, its susceptibility to locking means that it is in this important respect not robust. 

Previous studies of information locking had also always focused on the example of sending classical infor- 
mation in one of a small number of different bases unknown to the receiver. The intuition was that a receiver 
ignorant of the basis could not do much better than guessing the basis and then measuring. Most of the time, 
he would guess incorrectly and his measurement would then destroy the information. Moving away from that 
paradigm, in this article we consider classical information encoded using a single generic unitary transforma- 
tion mixing the input information with half of an entangled state shared with the receiver. The "key" then 
becomes a quantum system. While the original paradigm can be recovered by eliminating the entanglement 
and encrypting the key quantum system with a private quantum channel, the setting considered here is strictly 
more general. 

Indeed, we find that, for an n-bit uniform message and maximal entanglement, the information is generically 
e-locked until the receiver is within 0(logn/e) qubits of being able to completely decode the message. Our 
definition of locking is stronger than those previously studied and our results imply, for the first time, that the 
classical mutual information can be made arbitrarily small. Our method of proof in the case of projective mea- 
surements was a fairly standard discretization argument but the extension to POVM measurements required 
a new strategy exploiting the operator Chernoff bound. In contrast to previous studies of locking, we do not 
require the message to be uniformly distributed, working instead with a min-entropy bound on the distribution 
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of messages. In that case, we found that the key size was at most the gap between the max- and min-entropies 
of the message, modulo the logarithmic terms that dominate in the uniform situation. 

For information theorists, this may appear reminiscent of a strong converse to a channel capacity problem. 
Roughly, a strong converse theorem states that any attempt to transmit above the channel capacity will result 
in the decoding error probability approaching one. In our setting, the analog of the strong converse would be 
a matching lower bound to Equation (1.5) of the form 



whenever C < M, indicating the the probability of incorrectly decoding the message is at least 1 — e. What 
we prove here is much stronger. Equation (9.1) doesn't rule out the possibility of being able to pin the message 
down to some relatively small set. More generally, it doesn't imply a small mutual information between the 
message and the measurement outcome. Information locking does imply these stronger statements. 

As such, information locking has a natural cryptographic interpretation even if we haven't emphasized it in 
this article. The special case of our scenario mentioned above, with no entanglement and a quantum key 
encrypted using a private quantum channel, leads to a method for encrypting classical messages using a secret 
key of size independent of the length of the message. Similarly, information locking schemes can be used 
to construct string commitment protocols with surprisingly good parameters [BCH+06, BCH + 08]. These 
cryptographic applications are emphasized in the companion article [FHS10]. 

To the extent that random unitary transformations provide good models of black hole evaporation, our results 
might also have implications for that process. Oppenheim and Smolin had previously suggested that informa- 
tion locking could rescue the long-lived remnant hypothesis [SO06]. In essence, their idea was that a remnant 
with a small number of states could lock all the information of a large black hole, thereby evading the incon- 
sistencies with low energy physics that arise from having large numbers of remnant species [ACN87, CW87]. 
Their proposal, however, relied on previously studied locking states that treated the encoded message and the 
key very differently. Consequently, the proposal required that the black hole keep hold of the key until the 
very last moments of its evaporation, implying some ad hoc dynamical distinction between encoded message 
and key in the evaporation process. Our results imply that if the dynamics are well-modeled by a Haar ran- 
dom unitary transformation, then any small portion of the output system can be used as the key. No ad hoc 
distinction is necessary. 

Ironically, the information locking effect is also perfectly compatible with the rapid release of information 
from a black hole predicted in [HP07], assuming a unitary evaporation process. That article observed that if a 
black hole is already highly entangled with Hawking radiation from an earlier time, then messages would be 
released from the black hole in the Hawking radiation once the black hole dynamics had sufficiently "scram- 
bled" the message with internal black hole degrees of freedom. By virtue of the fact that we treat generic 
unitary transformations acting on a message and half of an entangled state, our results apply to the setting 
of that paper and the followup [SS08]. Specifically, our results imply that in the case of a larger message, 
no information about the message could be obtained from the Hawking radiation until moments before it 
could all be obtained. The conclusion depends, of course, on whether the random unitary transformation is 
a good model of the evaporation process. While the generic unitary transformations considered here would 
take exponential time to implement on a quantum computer, the follow-up article [FHS10] shows, at least, 
that locking can be achieved with a quantum circuit of depth only slightly superlinear in the number of qubits 
in the system. Other attempts to apply random unitary transformations to the black hole information problem, 
such as [Llo06, BSZ09], will be affected similarly by information locking. 

To summarize, this article defined information locking more stringently than previously and nonetheless found 
that this stronger form of locking is generic: if information is encoded using a random unitary transformation, 




(9.1) 
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then it will either be decodable or locked. Almost no middle ground occurs. This observation has implications 
for cryptography and, potentially, for black hole physics. 

Acknowledgments 

Andreas Winter has independently established some locking results for generic unitary transformations. We 
would like to thank Jonathan Oppenheim for helpful discussions and the Mittag-Leffler Institute for its kind 
hospitality. This research was supported by the Canada Research Chairs program, the Perimeter Institute, 
CIFAR, CFI, FQRNT's INTRIQ, MITACS, NSERC, ORF, ONR through grant N000 1408 11249, Quantum- 
Works, and the Swiss National Science Foundation through grant no. 200021-119868. 

References 

[ACN87] Y. Aharonov, A. Casher, and S. Nussinov. The unitarity puzzle and Planck mass stable particles. 
Physics Letters B, 191:51-55, 1987. 

[ADHW09] Anura Abeyesinghe, Igor Devetak, Patrick Hayden, and Andreas Winter. The mother of all 
protocols: Restructuring quantum information's family tree. Proceedings of the Royal Society 
A, (465):2537-2563, 2009. quant-ph/0606225. 

Robert Alicki and Mark Fannes. Continuity of quantum mutual information. Journal of Physics 
A: Mathematical and General, 37(5):L55-L57, 2004. quant-ph/03 12081. 

Greg W. Anderson, Alice Guionnet, and Ofer Zeitouni. An Introduction to Random Matrices. 
Cambridge University Press, 2009. http://www.wisdom.weizmann.ac.il/ zeitouni/cupbookpdf. 

Rudolf Ahlswede and Andreas Winter. Strong converse for identification via quantum channels. 
IEEE Transactions on Information Theory, 48(3):569-579, 2002. quant-ph/0012127. 

Harry Buhrman, Matthias Christandl, Patrick Hayden, Hoi-Kwong Lo, and Stephanie Wehner. 
Security of quantum bit string commitment depends on the information measure. Physical 
Review Letters, 97:250501, 2006. arXiv:quant-ph/0609237. 

Harry Buhrman, Matthias Christandl, Patrick Hayden, Hoi-Kwong Lo, and Stephanie Wehner. 
Possibility, impossibility, and cheat-sensitivity of quantum bit string commitment. Physical 
Review A, 78:022316, 2008. arXiv:quant-ph/0504078. 

Rajendra Bhatia. Matrix Analysis. Springer- Verlag, 1996. 

Robin Blume-Kohout and Wojciech H. Zurek. Quantum Darwinism: Entanglement, branches, 
and the emergence of classicality of redundantly stored quantum information. Physical Review 
A, 73:062310, 2006. 

[BOHL+05] Michael Ben-Or, Michal Horodecki, Debbie Leung, Dominic Mayers, and Jonathan Oppen- 
heim. The universal composable security of quantum key distribution. Second Theory of Cryp- 
tography Conference, TCC2005, 3378:386-406, 2005. quant-ph/0409078. 

[BSZ09] Samuel L. Braunstein, Hans-Jurgen Sommers, and Karol Zyczkowski. Entangled black holes as 
ciphers of hidden information. arXiv:0907.0739, 2009. 



[AF04] 
[AGZ09] 
[AW02] 
[BCH+06] 

[BCH+08] 

[Bha96] 
[BKZ06] 



28 



[CW87] R. D. Carlitz and R. S. Willey. Lifetime of a black hole. Physical Review D, 36:2336-2341, 
1987. 

[DHL+04] David P. DiVincenzo, Michal Horodecki, Debbie W. Leung, John A. Smolin, and Barbara M. 

Terhal. Locking classical correlation in quantum state. Phys. Rev. Lett., (92, 067902), 2004. 
quant-ph/0303088. 

[Dup09] Frederic Dupuis. The decoupling approach to quantum information theory. PhD thesis, Univer- 
site de Montreal, 2009. arXiv: 1004. 1641. 

[FHS10] Omar Fawzi, Patrick Hayden, and Pranab Sen. From low-distortion embeddings to metric un- 
certainty relations and information locking, to appear, 2010. 

[Fuc96] Christopher A. Fuchs. Distinguishability and accessible information in quantum theory. PhD 
thesis, University of New Mexico, 1996. quant-ph/0601020. 

[GL03] Daniel Gottesman and Hoi-Kwong Lo. Proof of security of quantum key distribution with 
two-way classical communications. IEEE Transactions on Information Theory, 49(2):457^475, 
2003. quant-ph/0105121. 

[HLSW04] Patrick Hayden, Debbie Leung, Peter Shor, and Andreas Winter. Randomizing quantum states: 
Constructions and applications. Comm. Math. Phys., 250(2):371-391, 2004. quant-ph/0307104. 

[HP07] Patrick Hayden and John Preskill. Black holes as mirrors: quantum information in random 
subsystems. Journal of High Energy Physics, 07(09): 120, 2007. 

[HV01] Leah Henderson and Vlatko Vedral. Classical, quantum and total correlations. Journal of physics 
A: mathematical and general, 34(35):6899, 2001. 

[KRBM07] Robert Konig, Renato Renner, Andor Bariska, and Ueli Maurer. Locking of accessible informa- 
tion and implications for the security of quantum cryptography. Phys. Rev. Lett., 98(140502), 
2007. quant-ph/05 12021. 

[LC99] Hoi-Kwong Lo and Hoi-Fung Chau. Unconditional security of quantum key distribution over 
arbitrarily long distances. Science, 283(5410):2050-2056, 1999. quant-ph/9803006. 

[LCA05] Hoi-Kwong Lo, Hoi-Fung Chau, and M. Ardehali. Efficient quantum key distribution scheme 
and proof of its unconditional security. Journal of Cryptology, 18(133), 2005. quant- 
ph/0011056. 

[Llo06] Seth Lloyd. Almost certain escape from black holes in final state projection models. Physical 
Review Letters, 96:061302, 2006. 

[NC00] Michael A. Nielsen and Isaac L. Chuang. Quantum computation and quantum information. 
Cambridge University Press, New York, NY, USA, 2000. 

[OZ01] Harold Ollivier and Wojciech H. Zurek. Quantum discord: a measure of the quantumness of 
correlations. Physical Review Letters, 88:017901, 2001. 

[Ren05] Renato Renner. Security of quantum key distribution. PhD thesis, ETH Zurich, 2005. quant- 
ph/05 12258. 



29 



[RK05] Renato Renner and Robert Konig. Universally composable privacy amplification against quan- 
tum adversaries. Second Theory of Cryptography Conference, TCC2005, 3378:407-425, 2005. 
quant-ph/0403133. 

[SO06] John Smolin and Jonathan Oppenheim. Locking information in black holes. Physical Review 
Letters, 96(8):081302-H-, 2006. 

[SP00] Peter Shor and John Preskill. Simple proof of security of the BB84 quantum key distribution 
protocol. Phys. Rev. Lett, 85, 2000. quant-ph/0003004. 

[SS08] Y. Sekino and L. Susskind. Fast scramblers. Journal of High Energy Physics, 10:65-+, 2008. 
arxiv:0808.2096. 

[WSFB09] T. Werlang, S. Souza, F. F. Fanchini, and C. J. Villas Boas. Robustness of quantum discord to 
sudden death. Physical Review A, 80:024103, 2009. 



30 



A Miscellany 



Definition A.l (Lipschitz constant). Let f : X — >■ 2) be a function from the metric space (X, d%) to the metric 
space (2), dsp). Then, the Lipschitz, constant of f is defined as 

sup d^(f(x 1 ),f(x 2 )) 
dx{xi,x 2 ) 

If the above quantity is not bounded, the constant is not defined. 

Lemma A.l (Lemma IV.3 in [ADHW09]). For any matrix X AAR and for dU the Haar measure over uni- 
taries, we have the following property: 



L 



where 



(U A ® <g> I R ) X AAR [U\ ® ® I R ) dU = a + (X) ®nf + a- (X) ® U A 



Lemma A.2 (Operator Chernoff bound [AW02]). Let X±, . . . , Xu be i.i.d. random variables taking values 
in the operators Pos(A), with ^ X, ^ I, with A = EX,- ^ al, and let < r] ^ 1/2. 77iera 
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Lemma A.3 (Trace distance versus Euclidean norm for pure states (See, e.g. [NCOO].)). Consider any two 
quantum states \<p),\<p) with density associated operators ip, <£> respectively. We can relate the 1-norm distance 
between the operators to the 2-norm distance of the states as follows, 



\ip — (^Hj < 2 



2 • 



Lemma A.4 (A bound for the 1-norm in terms of conditional entropy [Ren05, Dup09]). Let p G L(A) be any 
Hermitian operator and let 7 6 Pos(A) be a positive definite operator. Then, 



pW^jTrWTr (7-1/4^-1/4) 



Proof. 



\P\\i 



max |Tr [Up] \ 
UgU(A) 



= max 
ueu(A) 



Tr 



( 7 1 / 4 f/7 1/4 ) (7- 1/4 P7- 1/4 ) 



< ^max y Tr [(7W7V4) fri/W-y 1 /*)] T r [ 7 "V4 p 7-1/2 p \ 7 -i/4] 

max Tr [71/2^1/2^] Tr [7-1/4 07-1/2 _f 7-1/4] 
J7eW(A) L 



= ^TV [7] Tr [7^/4^ 7-1/2 p t 7-1/4] ; 
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where the first equality is an application of Lemma 1.6 in [Dup09] and the inequality results from an ap- 
plication of Cauchy-Schwarz, and the maximizations are over all unitaries on A. The last equality follows 
from 



max Tr 

ueU(A) 



7 



1/2 



^max y'Tr [7] Tr [U-f^WU^W] 
Tr[ 7 ] 



max Tr 

UeU(A) 



A/ 2 



□ 
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